GitLab has recently issued critical security patches addressing eleven distinct software vulnerabilities. These patches affect both its Community Edition (CE) and Enterprise Edition (EE) platforms. Coordinated new versions 18.0.1 17.11.3 and 17.10.7 were simultaneously released to users. Three high-risk flaws enabling significant denial-of-service (DoS) attacks dominate the threat landscape. This security update is GitLab’s most comprehensive remediation effort so far in 2025. It impacts all GitLab deployment models including omnibus source code and helm chart installations. The most severe vulnerability CVE-2025-0993 allows authenticated attackers to trigger server resource exhaustion. This is done through an unprotected large blob endpoint scoring 7.5 on CVSS. This flaw could sustain prolonged system downtime in many unprotected production environments.
Two additional medium-severity denial-of-service (DoS) vectors were also identified and addressed. One such vulnerability CVE-2025-3111 exists within the platform’s Kubernetes integration feature. It exposes Kubernetes clusters to unbounded token generation attacks via inadequate input validation. Another flaw CVE-2025-2853 involves exploitable note positioning systems within GitLab’s interface. Attackers can exploit unvalidated note positions to effectively disrupt overall service availability. These vulnerabilities collectively enable attackers to launch multi-pronged attacks against infrastructure layers. A fourth DoS pathway also emerged through Discord third-party webhook integration points. This vulnerability is tracked as CVE-2024-7803 where malformed payloads can crash subsystems.
This highlights the growing attack surface from third-party platform integrations in DevOps.
Beyond just DoS threats the update addresses several critical system authentication related flaws. One notable flaw CVE-2024-12093 is a SAML validation weakness in specific conditions. It could allow specially modified responses to bypass important two-factor authentication requirements. This medium-severity vulnerability could potentially enable unauthorized account takeover by skilled attackers. The new patched release also successfully resolves the vulnerability tracked as CVE-2025-4979. Attackers could expose normally masked CI/CD variables by analyzing certain HTTP response data. This information disclosure flaw potentially exposes very sensitive credentials like API keys. Concurrently CVE-2025-0679 fixes a UI oversight that revealed users’ full email addresses. Low-severity flaws include branch name confusion and also unauthorized GraphQL job data access.
GitLab strongly mandates immediate upgrades by all users to these new patched software versions.
Versions 17.10.7 17.11.3 and 18.0.1 contain all fixes for the reported vulnerabilities. This particular release follows GitLab’s regular scheduled twice-monthly software patch update cadence. Security teams should review Kubernetes configurations webhooks and SAML implementations after updating. GitLab also recommends implementing outbound allowlists for SSRF protection and auditing CI/CD variables. Seven of the eleven fixed vulnerabilities were credited to various skilled external researchers. This was achieved through GitLab’s active HackerOne bug bounty program for security contributions. Enterprises should validate container images and also update runner configurations with core upgrades. This patch release underscores the critical need for continuous strong vulnerability management always.
Reference:
